-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathtlsdns.usage.old
67 lines (46 loc) · 2.99 KB
/
tlsdns.usage.old
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
secdns: Generate DNS records containing security information for various services like SSH,
secdns [options] <hostname> [options] [<hostname> [options]]
secdns -n <nameserver> <zone> [options] [<zone> [options]] (requires AXFR permission)
-a attempt to generate SSHFP, IPSECKEY, TLSA and HASTLS records
-D Insist all host DNS lookups are secured by an AD bit (trusted local resolver)
(default is warn-only)
Dynamic DNS options
--update Propagate generated records via Dynamic DNS update
--forward send an update for the forward zone based on FQDN
--reverse send an update for the reverse zone based on IP[s]
TLS DNS records
------------
--hastls Generate a HASTLS record [RFCxxxx]
--with-fallback/--without-fallback Set the default fallback policy for all records if not specified per service
(default is no fallback for web,imap/pop3, allowed fallback for smtp)
--service-discover Generate HASTLS record based on probed services
This only covers wellknown services (email & web)
--service [--with-fallback] <port|name> Add the <name> service to the HASTLS list. Do not allow fallback per default
[, <port|name>] For inline TLS services, specify twice. Examples:
OR
--service www
--fallback-service http
--service http,https - allow web traffic, prefer https, no fallback
--service --with-fallback smtp,smtp - allow email with/without STARTTLS
--raw Specify record in "generic dns record" format for older nameservers.
uses RRTYPE #65280 (private use until IANA assigns the RRTYPE code)
--tlsa Generate a TLSA record [RFCxxxx]
--probe Obtain PKIX certificate or bare public key by connecting to the secure service
--file Obtain PKIX certificate or bare public key from the specified file [formats?]
use user@host:filename to specify a file over ssh
--use-certhash The default - Use the same hashing algorithm as used within the certificate
Only valid for PKIX certificate based TLS - ignored for bare public keys
--use-hash <hashname> Use <hashname> instead of the hash used in the certificate.
See IANA TLS hashnames at URL here for valid hashes
--raw Specify record in "generic dns record" format for older nameservers.
uses RRTYPE #65281 (private use until IANA assigns the RRTYPE code)
--tlstxt Generate Kaminsky style TXT records for TLS service (freebird)
IPSEC DNS records
--ipseckey | --ipsectxt Generate IPSECKEY record [RFCxxxx] or TXT record [Openswan spec]
[--file <filename>] Obtain bare public key from a local file in ipsec.secrets(x) format
[--showhostkey [[--host <hostname>] Obtain bare public key via the openswan "ipsec showhostkey" command.
If hostname is specified, a login as root is attempted to run the command.
--gateway Specify gateway IP (default: use host itself as gateway)
--pref Specify preference (similar to MX records - default 10)
SSH DNS records
--sshfp Generate SSHFP records - see sshfp(1)